-
Notifications
You must be signed in to change notification settings - Fork 451
/
types.go
134 lines (102 loc) · 5.98 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
// Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package common
import (
"time"
)
const (
// VPNTunnel dictates that VPN is used as a tunnel between seed and shoot networks.
VPNTunnel string = "vpn-shoot"
// EtcdEncryptionChecksumLabelName is the name of the label which is added to the shoot
// secrets after rewriting them to ensure that successfully rewritten secrets are not
// (unnecessarily) rewritten during each reconciliation.
EtcdEncryptionChecksumLabelName = "shoot.gardener.cloud/etcd-encryption-configuration-checksum"
// EtcdEncryptionForcePlaintextAnnotationName is the name of the annotation with which to annotate
// the EncryptionConfiguration secret to force the decryption of shoot secrets
EtcdEncryptionForcePlaintextAnnotationName = "shoot.gardener.cloud/etcd-encryption-force-plaintext-secrets"
// EtcdEncryptionEncryptedResourceSecrets is the name of the secret resource to be encrypted
EtcdEncryptionEncryptedResourceSecrets = "secrets"
// EtcdEncryptionKeyPrefix is the prefix for the key name of the EncryptionConfiguration's key
EtcdEncryptionKeyPrefix = "key"
// EtcdEncryptionKeySecretLen is the expected length in bytes of the EncryptionConfiguration's key
EtcdEncryptionKeySecretLen = 32
// ETCDEncryptionConfigDataName is the name of ShootState data entry holding the current key and encryption state used to encrypt shoot resources
ETCDEncryptionConfigDataName = "etcdEncryptionConfiguration"
// GrafanaOperatorsPrefix is a constant for a prefix used for the operators Grafana instance.
GrafanaOperatorsPrefix = "go"
// GrafanaUsersPrefix is a constant for a prefix used for the users Grafana instance.
GrafanaUsersPrefix = "gu"
// GrafanaOperatorsRole is a constant for the operators role.
GrafanaOperatorsRole = "operators"
// GrafanaUsersRole is a constant for the users role.
GrafanaUsersRole = "users"
// PrometheusPrefix is a constant for a prefix used for the Prometheus instance.
PrometheusPrefix = "p"
// AlertManagerPrefix is a constant for a prefix used for the AlertManager instance.
AlertManagerPrefix = "au"
// LokiPrefix is a constant for a prefix used for the Loki instance.
LokiPrefix = "l"
// KubecfgUsername is the username for the token used for the kubeconfig the shoot.
KubecfgUsername = "system:cluster-admin"
// KubecfgSecretName is the name of the kubecfg secret.
KubecfgSecretName = "kubecfg"
// KubeAPIServerHealthCheck is a key for the kube-apiserver-health-check user.
KubeAPIServerHealthCheck = "kube-apiserver-health-check"
// VPASecretName is the name of the secret used by VPA
VPASecretName = "vpa-tls-certs"
// ManagedResourceShootCoreName is the name of the shoot core managed resource.
ManagedResourceShootCoreName = "shoot-core"
// ManagedResourceAddonsName is the name of the addons managed resource.
ManagedResourceAddonsName = "addons"
// SeedSpecHash is a constant for a label on `ControllerInstallation`s (similar to `pod-template-hash` on `Pod`s).
SeedSpecHash = "seed-spec-hash"
// ControllerDeploymentHash is a constant for a label on `ControllerInstallation`s (similar to `pod-template-hash` on `Pod`s).
ControllerDeploymentHash = "deployment-hash"
// RegistrationSpecHash is a constant for a label on `ControllerInstallation`s (similar to `pod-template-hash` on `Pod`s).
RegistrationSpecHash = "registration-spec-hash"
// IstioNamespace is the istio-system namespace
IstioNamespace = "istio-system"
// AlertManagerTLS is the name of the secret resource which holds the TLS certificate for Alert Manager.
AlertManagerTLS = "alertmanager-tls"
// GrafanaTLS is the name of the secret resource which holds the TLS certificate for Grafana.
GrafanaTLS = "grafana-tls"
// PrometheusTLS is the name of the secret resource which holds the TLS certificate for Prometheus.
PrometheusTLS = "prometheus-tls"
// LokiTLS is the name of the secret resource which holds the TLS certificate for Loki.
LokiTLS = "loki-tls"
// EndUserCrtValidity is the time period a user facing certificate is valid.
EndUserCrtValidity = 730 * 24 * time.Hour // ~2 years, see https://support.apple.com/en-us/HT210176
// CrtRenewalWindow is the time window in which certificates are supposed to be replaced before they expire.
CrtRenewalWindow = 30 * 24 * time.Hour
// ShootDNSIngressName is a constant for the DNS resources used for the shoot ingress addon.
ShootDNSIngressName = "ingress"
// GardenLokiPriorityClassName is the name of the PriorityClass for the Loki in the garden namespace
GardenLokiPriorityClassName = "garden-loki"
// MonitoringIngressCredentials is a constant for the name of a secret containing the monitoring credentials for
// operators monitoring for shoots.
MonitoringIngressCredentials = "monitoring-ingress-credentials"
// MonitoringIngressCredentialsUsers is a constant for the name of a secret containing the monitoring credentials
// for users monitoring for shoots.
MonitoringIngressCredentialsUsers = "monitoring-ingress-credentials-users"
// NodeLocalIPVSAddress is the IPv4 address used by node local dns when IPVS is used.
NodeLocalIPVSAddress = "169.254.20.10"
)
// IngressTLSSecretNames are the secrets which contain operator or user facing x509 certificates.
// These are usually exposed via an `Ingress` in the shoot control plane.
var IngressTLSSecretNames = []string{
AlertManagerTLS,
GrafanaTLS,
PrometheusTLS,
LokiTLS,
}